diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8d4a1ff0..c56fc3be 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main, develop ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e37ed46b..a1b22741 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
         default: 'true'
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   release:
     permissions: 
diff --git a/.github/workflows/sync-release-notes.yml b/.github/workflows/sync-release-notes.yml
index 66ced58a..b7e31110 100644
--- a/.github/workflows/sync-release-notes.yml
+++ b/.github/workflows/sync-release-notes.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [published, edited]  # Automatic trigger when releases are published or edited
 
+permissions:
+  contents: read
+
 jobs:
   sync-release-notes:
     runs-on: ubuntu-latest